TTechclick ⚡ XP 0% All lessons
SailPoint · Identity Governance · Connectors & SourcesInteractive · L1 / L2 / L3

SailPoint Connectors & Sources — Aggregation, Correlation & Provisioning

Before SailPoint can govern an identity it must first find all the accounts that belong to it. This lesson maps how sources and connectors work — VA-based versus SaaS connectivity, account and group aggregation, correlation rules that link accounts to identities, provisioning connectors, and IQService for Windows targets — so you understand every step of data onboarding from schema design to a live certified account.

📅 2026-06-20 · ⏱ 17 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master SailPoint connectors and sources in 2026: how VA-based and SaaS connectivity connect to target systems, run account and group aggregation, apply correlation rules, enable provisioning, and how IQService bridges Windows environments — with end-to-end data-onboarding mechanics.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Sources & connectors

What a source is, what a connector does, and how they pair.

 2

VA vs SaaS connectivity

Virtual Appliance vs SaaS Connectivity framework.

 3

Aggregation & schema

Account agg, group agg, schema, IQService.

 4

Correlation & provisioning

Linking accounts to identities and writing changes back.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. In SailPoint, what does 'aggregation' mean?

Answered in Sources & connectors.

2. What problem does a correlation rule solve?

Answered in Aggregation & schema.

3. Which component bridges SailPoint Identity Security Cloud to Windows-only APIs?

Answered in Aggregation & schema.

Most engineers think…

Most candidates describe SailPoint as 'a tool that pulls accounts from Active Directory.' That half-answer loses marks in interviews and leaves gaps in production deployments.

SailPoint's true power is multi-source identity correlation: it connects to every authoritative and managed system — AD, HR, SaaS apps, databases — via sources and connectors, runs account and group aggregation, applies correlation rules to stitch raw accounts onto a single identity cube, and then uses provisioning connectors to write changes back. Understanding that full loop — onboarding mechanics in, governance action out — is what separates a SailPoint engineer from a SailPoint user.

① Sources and connectors — the bridge between ISC and target systems

A source in SailPoint Identity Security Cloud (ISC) is the configuration object that represents a target system: Active Directory, Workday, Salesforce, a database, an on-prem app. A connector is the technical bridge — the library or service — that actually speaks the target system's protocol (LDAP, SCIM, REST, JDBC). You always configure a source; the connector is what runs underneath it.

Every source has an account schema that tells ISC which attributes to read. Two special attributes must always be set: Account ID (the stable unique key, e.g. sAMAccountName) and Account Name (the display label). Get these wrong and correlation breaks for every account on that source.

By default every new source is read-only — it can aggregate but not provision. Deep governance features (provisioning, password management, group management) must be explicitly enabled in the source's Base Configuration. This default-safe posture is deliberate: onboard first, govern second.

Figure 1 — SailPoint data-onboarding pipeline
Every governed identity starts with this pipeline: source config feeds aggregation, correlation links accounts to identities, and provisioning writes changes back.SailPoint data-onboarding pipelineSource configschema + credentialsAggregationaccounts + groupspulledCorrelationaccount linked to cubeIdentity cubegoverned profile builtProvisioningchanges written back
Every governed identity starts with this pipeline: source config feeds aggregation, correlation links accounts to identities, and provisioning writes changes back.
Default read-only is your friend

New sources start read-only by design. Onboard, aggregate and correlate first — confirm the data looks right in ISC — before you enable provisioning. Enabling provisioning on a misconfigured source can propagate bad data at scale.

Quick check · Q1 of 10 · Remember

Which two schema attributes MUST always be set on a SailPoint source?

Correct: b. Account ID is the stable unique key (e.g. sAMAccountName) and Account Name is the display label. These two drive correlation and display throughout ISC — get them wrong and aggregation + correlation both break.
👉 So far: A source = the ISC config for one target system; a connector = the protocol bridge underneath it. Defaults are read-only — provisioning must be explicitly enabled.

② VA-based connectivity vs SaaS Connectivity — choosing the right bridge

SailPoint offers two connectivity models. VA-based (Virtual Appliance) connectors run inside your network on a VA cluster — a pair of lightweight Linux VMs you deploy in your data centre or private cloud. The VA reaches out to ISC over HTTPS, so no inbound firewall holes are needed. VA-based connectors are the right choice for on-premises systems, legacy apps and anything that cannot expose a public API.

SaaS Connectivity (the SaaS Connector framework) is SailPoint's cloud-native bridge for cloud-to-cloud integrations. Connectors built on this framework run in SailPoint's own cloud infrastructure, connect to SaaS targets directly over the internet, and need no VA at all. SailPoint publishes a growing library of SaaS connectors (Okta, GitHub, Google Workspace, Slack, and many others), and the open SDK lets customers build custom ones in TypeScript.

Decision rule

VA-based for anything behind a firewall or requiring Windows APIs; SaaS Connectivity for pure-cloud targets with a public REST or SCIM endpoint. Many enterprises run both in the same ISC tenant — each source picks the connectivity model that fits its target.

Figure 2 — VA-based vs SaaS Connectivity
Choose connectivity model by where the target lives — on-prem or cloud — not by personal preference.VA-based vs SaaS ConnectivityVA-based connectorRuns on your VA cluster VMsReaches on-prem & legacyNo inbound firewall holes neededSupports IQService for WindowsSaaS ConnectivityRuns in SailPoint cloud infraCloud-to-cloud via REST/SCIMNo VA required at allCustom connectors via TypeScript
Choose connectivity model by where the target lives — on-prem or cloud — not by personal preference.
🔌
Source
tap to flip

The ISC config object representing one target system — holds credentials, schema (Account ID + Name), aggregation schedule, and provisioning settings. Default is read-only.

🌉
Connector
tap to flip

The technical bridge underneath a source — speaks the target's protocol (LDAP, SCIM, REST, JDBC). VA-based connectors run on your VA cluster; SaaS connectors run in SailPoint's cloud.

🪟
IQService
tap to flip

A lightweight Windows service installed on a Windows Server inside your network. Proxies Windows-only API calls (AD, Exchange, Skype) to the cloud ISC platform over TLS.

🔗
Correlation rule
tap to flip

A BeanShell or criteria-based rule that maps an aggregated account to an identity cube — e.g. account.email == identity.email. No match = uncorrelated orphan.

Quick check · Q2 of 10 · Apply

A customer needs to connect ISC to an on-premises Oracle HR system behind a firewall. Which connectivity model should they use?

Correct: b. VA-based connectors are the right choice for on-prem or firewall-protected systems. The VA cluster sits inside the network, connects to the target directly, and phones home to ISC over outbound HTTPS — no inbound holes needed. SaaS Connectivity is for cloud-to-cloud targets.
👉 So far: VA-based connectors sit inside your network for on-prem targets; SaaS Connectivity runs in SailPoint's cloud for cloud-to-cloud integrations. Many tenants run both.

③ Account & group aggregation, schema, and IQService

Account aggregation is the process of pulling every account from a target system into ISC. A full aggregation reads all accounts; a delta aggregation reads only changes since the last run. You can trigger aggregation manually, on a schedule, or via the API. ISC stores the result as account objects keyed by Account ID.

Group aggregation reads the groups (or roles, entitlements, org units) from the target system so that ISC knows what groups exist before it can see which accounts are members of them. Groups become entitlements in ISC — the things you certify, request and revoke. Group aggregation must run before account aggregation completes membership data correctly.

IQService (also called the Integration Service) is a lightweight Windows service installed on a Windows Server inside your network. It acts as a proxy between ISC and systems that only expose Windows APIs — Active Directory, Exchange, Skype, RACF on Windows — giving the cloud platform access it could not get over standard protocols alone. A single IQService instance can serve multiple sources. SailPoint releases IQService updates regularly (the Feb-2025 and May-2025 releases added stability and TLS improvements). Always secure IQService with TLS and client authentication.

Figure 3 — IQService as Windows API proxy
IQService sits inside your network and proxies Windows-only API calls from the cloud-hosted ISC platform to on-prem Windows targets.IQService as Windows API proxyIQServiceWindows proxyActive DirectoryExchange ServerSkype for BusinessRACF on WindowsISC (cloud)Custom VA sources
IQService sits inside your network and proxies Windows-only API calls from the cloud-hosted ISC platform to on-prem Windows targets.
Skipping group aggregation before account aggregation

If you run account aggregation before group aggregation on an LDAP or AD source, membership attributes (memberOf) come in unresolved. Always schedule group aggregation first, or at minimum confirm groups are populated before you rely on entitlement data for certifications.

▶ Watch an AD account get aggregated, correlated and provisioned

End-to-end: source config fires an aggregation, the account is correlated to an identity, and a new entitlement is provisioned back to AD. Press Play for the healthy path, then Break it.

① AggregationISC fires a scheduled full aggregation on the Active Directory source. IQService on the Windows Server receives the request and queries AD via LDAP.
② Account objectsIQService returns accounts and group memberships to ISC. ISC creates or updates account objects using Account ID (sAMAccountName) as the key.
③ CorrelationThe correlation rule compares account.email to identity.email. A match is found — the account is linked to Priya Sharma's identity cube.
④ ProvisioningAn access request approves adding Priya to the Finance-Users AD group. ISC generates a provisioning plan and IQService writes the group membership back to AD.
Press Play to step through the healthy aggregation-to-provisioning path. Then press Break it.
Quick check · Q3 of 10 · Understand

Why must group aggregation run before account aggregation finishes populating membership data?

Correct: c. Account membership attributes (like memberOf) reference groups by name or DN. If the groups are not yet loaded into ISC as entitlements, ISC cannot resolve those references correctly. Run group aggregation first, then account aggregation.
👉 So far: Full aggregation pulls all accounts; delta pulls only changes. Group aggregation must precede membership data. IQService proxies Windows-only APIs (AD, Exchange) to ISC over TLS.

④ Correlation rules — linking accounts to identities — and provisioning

After aggregation, ISC needs to decide which identity cube each account belongs to. That is the job of a correlation rule. A typical rule compares the account's email attribute against the identity's email attribute; if they match, the account is correlated. You can chain multiple criteria or use a custom BeanShell rule for complex cases.

When no match is found, ISC creates a uncorrelated account (sometimes called an orphan). Uncorrelated accounts should be reviewed regularly — they are a governance gap. Good schema design and a well-written correlation rule keep this number small.

Provisioning connectors

Once deep governance is enabled on a source, ISC can write changes back via the same connector. A provisioning plan is generated — listing the exact creates, modifies and deletes — and the connector executes it against the target. Provisioning can be direct (ISC to target) or queue-based (ISC to a service desk or manual-work-item queue). Always test provisioning in a sandbox source before enabling it on production.

Figure 4 — Correlation rule evaluation flow
ISC evaluates each aggregated account against the configured correlation rule and either links it to an identity or flags it as an uncorrelated orphan.Correlation rule evaluation flowAggregatedaccount arrives in ISCRule evalemail / ID match checkMatch found?yes or no branchCorrelatedlinked to identitycubeUncorrelatedorphan flagged forreview
ISC evaluates each aggregated account against the configured correlation rule and either links it to an identity or flags it as an uncorrelated orphan.

Priya at a Pune NBFC faces this

After onboarding a new HR system source, 80% of the 4,000 aggregated accounts show as uncorrelated orphans in ISC even though every employee already has an identity.

Likely cause

The HR system stores email as 'priya.sharma@nbfc.co.in' but ISC identity cubes carry 'priya.sharma@nbfc.com' — a domain mismatch that makes the default email-match correlation rule fail.

Diagnosis

Open Admin > Connections > Sources > [HR Source] > Correlation and check the rule criteria. Sample 5 orphan accounts and compare their email against the matched identity attribute — the domain suffix differs.

Admin ▸ Connections ▸ Sources ▸ HR Source ▸ Correlation
Fix

Update the correlation rule to strip the domain and compare only the local part (left of @), or add a transformation on the source attribute to normalise the domain before the rule runs. Re-run full aggregation.

Verify

After the next full aggregation, the uncorrelated account count should drop to near zero. Spot-check 10 previously orphaned accounts and confirm each is now linked to the correct identity cube.

Prove correlation with a sample before go-live

Never trust a correlation rule until you have manually sampled at least 20 accounts across edge cases — contractors, service accounts, shared mailboxes. Run aggregation in test, inspect the identity cube links in ISC, and only then promote the rule to production.

Quick check · Q4 of 10 · Analyze

After a full aggregation, the ISC admin notices a large number of uncorrelated accounts. What is the MOST likely root cause?

Correct: a. Uncorrelated accounts almost always mean the correlation rule is comparing the wrong attributes — e.g. source email format does not match identity email format — so no match is found. The VA being offline would stop aggregation entirely; read-only mode affects provisioning, not aggregation.
👉 So far: Correlation rules map aggregated accounts to identity cubes — no match = uncorrelated orphan. Provisioning writes changes back via the same connector, from a provisioning plan.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which attribute in a SailPoint source schema serves as the stable unique key for each account?

Correct: b. Account ID is the unique, stable identifier — e.g. sAMAccountName in AD. It is the primary key ISC uses to track and update account objects across aggregations. Account Name is the display label, not the key.
Q6 · Understand

A SailPoint architect says 'run group aggregation before account aggregation.' Why?

Correct: d. Group aggregation loads groups as entitlements in ISC. Account aggregation then uses those entitlements to resolve membership attributes (like memberOf). If groups are not loaded first, membership data is unresolved and entitlement data is missing from identity cubes.
Q7 · Apply

A customer wants to connect ISC to Slack (a cloud SaaS app). Which connector model is best?

Correct: c. Slack is a cloud SaaS application with a public REST API. SaaS Connectivity runs in SailPoint's cloud and connects directly — no VA is needed. VA-based is for on-prem targets; IQService is specific to Windows environments.
Q8 · Analyze

After enabling deep governance on an AD source, provisioning requests succeed in ISC but the changes never appear in Active Directory. What is the most likely cause?

Correct: a. For AD, IQService handles write-back to Active Directory. If IQService is stopped, misconfigured, or has a TLS error, provisioning plans are accepted by ISC but never executed against AD. Check IQService status and logs on the Windows Server hosting it.
Q9 · Evaluate

An admin wants to keep ISC accounts in sync with a high-volume directory that changes thousands of records daily. What is the best aggregation strategy?

Correct: b. Delta aggregation reads only changes since the last run — fast and low-impact on the target. Full aggregation reads everything and is slow on large directories. Best practice is frequent delta runs (e.g. every 15–60 minutes) with a weekly full aggregation to catch any drift.
Q10 · Evaluate

What is the safest sequence for onboarding a new source that will eventually have provisioning enabled?

Correct: d. Sources default to read-only. The safe sequence is: configure the source and schema, run aggregation, verify the correlation results and identity data in ISC, then enable deep governance and test provisioning in a sandbox before promoting to production. Enabling provisioning before data is verified risks propagating bad data at scale.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what is the difference between a VA-based connector and SaaS Connectivity, and when would you use each? Then compare with the expert version.

Expert version: VA-based connectors run on a Virtual Appliance cluster inside your network and are the right choice for on-premises or firewall-protected systems — the VA reaches the target locally and phones home to ISC over outbound HTTPS. SaaS Connectivity runs in SailPoint's own cloud infrastructure and is the right choice for cloud SaaS targets that expose a public REST or SCIM API — no VA is required at all. Many production tenants run both models in the same ISC tenant, choosing per source based on where that target system lives.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Source
The ISC configuration object for one target system — holds credentials, account schema, aggregation settings and (when enabled) provisioning settings. Read-only by default.
Connector
The technical bridge beneath a source that speaks the target system's protocol — LDAP, SCIM, REST, JDBC, etc. VA-based or SaaS-hosted.
Account aggregation
The process of pulling all (full) or changed (delta) accounts from a target system into ISC as account objects.
Correlation rule
A BeanShell or criteria-based rule that maps an aggregated account to an identity cube — e.g. matching account.email to identity.email.
Uncorrelated account
An aggregated account ISC could not match to any existing identity cube — an orphan that represents a governance gap and should be reviewed.
IQService
A lightweight Windows service (also called Integration Service) that proxies Windows-only API calls between cloud-hosted ISC and on-prem Windows targets like AD and Exchange.
SaaS Connectivity
SailPoint's cloud-native connector framework for cloud-to-cloud integrations — connectors run in SailPoint infrastructure and need no VA.
Provisioning plan
The structured list of account creates, modifies and deletes generated by ISC when an access request or lifecycle event is approved — executed by the connector.

📚 Sources

  1. SailPoint — Identity Security Cloud Connectivity landing page. documentation.sailpoint.com/connectors/isc/landingpages/help/landingpages/isc_landing.html
  2. SailPoint — Configuring Sources in Identity Security Cloud. documentation.sailpoint.com/saas/help/sources/config_sources.html
  3. SailPoint — Introduction to IQService (Integration Service). documentation.sailpoint.com/connectors/iqservice/help/integrating_iqservice_admin/intro.html
  4. SailPoint — SaaS Connectivity developer documentation & SDK. developer.sailpoint.com/docs/connectivity/saas-connectivity/
  5. SailPoint — Aggregation Settings — account and group aggregation. documentation.sailpoint.com/connectors/saas/identity_security_cloud_gov/help/saas_connectivity/identity_security_cloud_governance/aggregation_settings.html
  6. SailPoint Developer Community — New Capability: Integration Service (IQService-May-2025) is now LIVE!. developer.sailpoint.com/discuss/t/new-capability-integration-service-iqservice-may-2025-is-now-live/103924

What's next?

Got sources and aggregation? Next, go deep on SailPoint access certification campaigns — how access reviews are launched, who gets included, what certifiers decide, and how automated remediation closes the loop on stale access.

Next · All interview lessons → Practice on exam.techclick.in →